b"                      U.S. Department of Agriculture\n\n                         Office of Inspector General\n                          Financial & IT Operations\n\n\n\n\n            Audit Report\n   Food Safety and Inspection Service\nApplication Controls \xe2\x80\x93 Performance Based\n            Inspection System\n\n\n\n\n                             Report No. 24501-1-FM\n                                    November 2004\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n\n                                   OFFICE OF INSPECTOR GENERAL\n\n\n                                        Washington D.C. 20250\n\n\n\n\nDATE:          November 24, 2004\n\nREPLY TO\nATTN OF:       24501-1-FM\n\nSUBJECT:       Food Safety and Inspection Service\n               Application Controls \xe2\x80\x93 Performance Based Inspection System\n\nTO:            Barbara J. Masters\n               Acting Administrator\n               Food Safety and Inspection Service\n\nATTN:          Ronald F. Hicks\n               Assistant Administrator\n               Office of Program Evaluation, Enforcement, and Review\n\n\nThis report presents the results of our audit of application controls in the Food Safety and\nInspection Service\xe2\x80\x99s Performance Based Inspection System (PBIS). The report identifies\nadditional policies, procedures, and system changes needed to ensure the confidentiality,\nintegrity, and availability of data entered and stored in PBIS.\n\nYour response to our draft report is included in its entirety as exhibit B, with excerpts\nincorporated into the findings and recommendations section of the report. Based on your\nOctober 29, 2004, response, we have reached management decision for Recommendations 2, 3,\n5, 7, 8, 9, and 11. Please follow your internal procedures in forwarding documentation of final\naction to the Office of the Chief Financial Officer. For Recommendations 1, 4, 6, and 10,\nadditional actions are needed to reach management decision. Please refer to the OIG Position\nsection of the report for specific details.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days\ndescribing the corrective actions taken or planned and the timeframes for implementation of the\noutstanding recommendations noted above. Please note that the regulation requires management\ndecision to be reached on all findings and recommendations within a maximum of 6 months\nfrom report issuance.\n\nThe courtesies and cooperation extended to the auditors during our audit are appreciated.\n\n/s/\n\nROBERT W. YOUNG\nAssistant Inspector General\n for Audit\n\x0cExecutive Summary\nFood Safety and Inspection Service Application Controls \xe2\x80\x93 Performance Based\nInspection System (Audit Report No. 24501-1-FM)\n\nResults in Brief    This report presents the results of our application controls audit of the Food\n                    Safety and Inspection Service\xe2\x80\x99s (FSIS) Performance Based Inspection\n                    System (PBIS). Our objective was to evaluate whether FSIS had adequate\n                    and effective controls over the input, processing, and output of PBIS data.\n                    FSIS relies on PBIS to manage its inspection activities; a critical component\n                    of its mission to ensure that the nation's commercial supply of meat, poultry,\n                    and egg products is safe and wholesome. Overall, we found that FSIS had\n                    not implemented adequate controls to ensure the integrity of PBIS data. This\n                    ultimately may affect FSIS\xe2\x80\x99 ability to adequately manage its inspection\n                    activities and to ensure that the nation's commercial supply of meat, poultry,\n                    and egg products is safe and wholesome.\n\n                    FSIS had not established effective physical or logical controls over access to\n                    the PBIS data. While FSIS management had established certain controls over\n                    access to PBIS data, our review disclosed several physical and logical control\n                    weaknesses that, if exploited, could result in (1) fraudulent or malicious data\n                    being entered into PBIS, (2) data being removed from PBIS, or (3) data being\n                    inappropriately changed in PBIS. FSIS relies on PBIS data to conduct\n                    establishment trend analysis, generate alerts of potential food-borne illness\n                    outbreaks, and other inspection results analyses. This lack of data integrity\n                    could ultimately result in trends in unsanitary conditions in federally\n                    inspected establishments not being identified and corrected timely.\n\n                    FSIS personnel had not consistently entered data into the PBIS system. This\n                    occurred because FSIS had not established procedures or controls to ensure\n                    the data in PBIS was valid. Further, FSIS had not ensured that all field\n                    personnel, who are ultimately responsible for data entry, were appropriately\n                    trained in how to enter data into PBIS. As a result, there is reduced assurance\n                    that FSIS can conduct meaningful analyses using PBIS data to identify trends\n                    in unsanitary conditions, or thoroughly rely upon PBIS data to report the\n                    accurate operating status of processing establishments.\n\n                    Changes to existing PBIS data can be made without authorization and\n                    validation and are not tracked or logged in the event that the original data\n                    needs to be recovered. FSIS management relies on field inspectors for all\n                    data input and assurance of data integrity. As a result, FSIS management\n                    could not be assured that PBIS data is reliable or supportable.\n\n                    FSIS was not using complete or up-to-date PBIS data to prepare management\n                    reports and conduct trend analysis. FSIS had not established written policies\n                    or controls to ensure that field inspectors synchronized, or replicated, their\nUSDA/OIG-AUDIT/24501-1-FM                                                                    Page i\n\x0c                   local systems with the master database on a daily basis. Further, FSIS\n                   headquarters personnel prepared management reports from backup PBIS data\n                   that was a week old. Due to the distributed nature of the PBIS database, field\n                   inspectors were required to use the slow and sometimes inconvenient method\n                   of dial-up connections to synchronize their data to the master database. FSIS\n                   officials informed us that preparing management reports from the central\n                   server database would cause too much activity on the master server. As a\n                   result, FSIS\xe2\x80\x99 trend analyses may not accurately reflect true conditions in an\n                   establishment and may fail to timely identify a problem establishment.\n\n                   The confidentiality, integrity, and availability of any application depends not\n                   only on the controls built into the application itself, but also on the\n                   underlying hardware, operating system, and network on which the application\n                   resides. Without effective physical and logical controls over network\n                   resources and the correction of operating system vulnerabilities, controls\n                   written into an application may be circumvented. We found several\n                   vulnerabilities in the operating systems used to operate the PBIS system and\n                   the firewalls that protect those systems. FSIS management was not vigilant\n                   in identifying or correcting network vulnerabilities, and was still in the\n                   process of configuring its firewall rules. As a result, the integrity of PBIS\n                   data is at risk since these weaknesses may allow the controls built into the\n                   PBIS application to be circumvented.\n\n                   Due to the lack of controls noted during our audit, FSIS cannot be assured\n                   that PBIS data is complete, accurate, and reliable. As a result, FSIS\n                   management may not have the information it needs to effectively manage its\n                   inspection activities. Without effective controls over data integrity, the PBIS\n                   system may be an unreliable repository that gives FSIS management a false\n                   sense that inspection activities are adequately carried out and sanitation of\n                   plant operations is accurately reported.\n\nRecommendations\nin Brief        We recommend that FSIS:\n\n                   \xe2\x80\xa2   Establish access control policies in accordance with Federal guidelines to\n                       provide reasonable assurance that access is restricted to only authorized\n                       users and that legitimate users have access to only that information\n                       needed to perform their job functions.\n\n                   \xe2\x80\xa2   Establish a policy and implement controls to provide reasonable\n                       assurance that only authorized and allowable data is entered into PBIS\n                       and that data used for management reporting is current and reliable.\n\n                   \xe2\x80\xa2   Establish a policy and implement controls to (1) limit changes to PBIS\n                       data, (2) require adequate justification be maintained when changes are\n                       necessary, and (3) require that all changes to PBIS data be logged.\nUSDA/OIG-AUDIT/24501-1-FM                                                                  Page ii\n\x0c                  \xe2\x80\xa2   FSIS should establish and implement procedures to ensure that all\n                      security settings are configured in accordance with departmental\n                      guidance, and vigilantly identify and correct network vulnerabilities.\n\nAgency Response\n\n                  FSIS generally agreed with the findings and recommendations in the report.\n                  However, FSIS responded that the report infers that inadequate controls over\n                  data entry in PBIS could ultimately lead to the occurrence of an outbreak of\n                  foodborne illness. FSIS stated that this inaccurately suggests that the\n                  Agency\xe2\x80\x99s sole mechanism for enforcing its regulatory authority is\n                  accomplished based on information provided by PBIS. FSIS stated that PBIS\n                  is just one of a number of data sources that the Agency uses to prompt\n                  regulatory action.\n\nOIG Position\n\n                   While the information contained in PBIS is not the only data source FSIS\n                   has for prompting regulatory action, it is critical to planning, implementing,\n                   and documenting inspection activities. We contend that FSIS should\n                   continue to improve the timeliness and accuracy of PBIS data. This will\n                   enhance FSIS\xe2\x80\x99 ability to schedule inspections based on the most\n                   comprehensive and updated information.\n\n                   We were able to reach management decision on Recommendations 2, 3, 5, 7,\n                   8, 9, and 11. Our position on what is needed to reach management decision\n                   on Recommendations 1, 4, 6, and 10 is outlined in the findings and\n                   recommendations sections of the report.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                Page iii\n\x0cAbbreviations Used in This Report\n\nDM             Departmental Manual\nFSIS           Food Safety and Inspection Service\nHACCP          Hazard Analysis and Critical Control Point\nID             Identification\nIT             Information Technology\nNIST           National Institute of Standards and Technology\nNR             Noncompliance Report\nOCIO           Office of Chief Information Officer\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nPBIS           Performance Based Inspection System\nSDLC           System Development Life Cycle\nTCP/IP         Transmission Control Protocol/Internet Protocol\nUSDA           U. S. Department of Agriculture\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                        Page iv\n\x0cTable of Contents\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report ......................................................................................................iv\n\nBackground and Objectives ................................................................................................................... 1\n\nFindings and Recommendations............................................................................................................ 3\n\n    Section 1. Integrity of Data Input .................................................................................................. 3\n\n        Finding 1             Weak Access Controls Jeopardize Data Integrity ................................................... 3\n                                  Recommendation No. 1.................................................................................... 7\n        Finding 2             Inconsistent Data Entry and Lack of Data Authorization and Validation\n                              Impacts PBIS Reliability......................................................................................... 7\n                                  Recommendation No. 2.................................................................................. 10\n                                  Recommendation No. 3.................................................................................. 11\n        Finding 3             Changes to PBIS Data Not Adequately Controlled .............................................. 11\n                                  Recommendation No. 4.................................................................................. 13\n\n    Section 2. Data Completeness and Timeliness Critical for Effective Management ................. 14\n\n        Finding 4             PBIS Data Not Complete or Timely ..................................................................... 14\n                                 Recommendation No. 5.................................................................................. 15\n                                 Recommendation No. 6.................................................................................. 16\n\n    Section 3. General Controls over System Security and Development Need Strengthening... 17\n\n        Finding 5             System Configuration and Vulnerabilities ............................................................ 17\n                                  Recommendation No. 7.................................................................................. 18\n                                  Recommendation No. 8.................................................................................. 18\n        Finding 6             Lack of Security Planning and Segregation of Duties Jeopardizes the\n                              Continued Operation of PBIS ............................................................................... 19\n                                  Recommendation No. 9.................................................................................. 21\n                                  Recommendation No. 10................................................................................ 22\n                                  Recommendation No. 11................................................................................ 22\n\nScope and Methodology........................................................................................................................ 23\n\nExhibit A \xe2\x80\x93 PBIS Application Controls Matrix ................................................................................. 24\nExhibit B \xe2\x80\x93 Agency Response............................................................................................................... 26\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                                  Page v\n\x0cBackground and Objectives\nBackground        Application controls are the structure, policies, and procedures that apply to\n                  separate, individual application systems. An application system is typically a\n                  collection or group of individual computer programs that relate to a common\n                  function. In the Federal Government, some applications may be complex,\n                  comprehensive systems, involving numerous computer programs and\n                  organizational units, such as those associated with benefit payment systems.\n                  Application controls can encompass both the routines contained within the\n                  computer program code, and the policies and procedures associated with user\n                  activities, such as manual measures performed by the user to determine that\n                  data was processed accurately by the computer.\n\n                  Application controls help make certain that transactions are valid, properly\n                  authorized, and completely and accurately processed by the computer. They\n                  are commonly categorized into three phases of a processing cycle:\n\n                  \xe2\x80\xa2   Input\xe2\x80\x94data are authorized, converted to an automated form, and entered\n                      into the application in an accurate, complete, and timely manner.\n\n                  \xe2\x80\xa2   Processing\xe2\x80\x94data are properly processed by the computer and files are\n                      updated correctly.\n\n                  \xe2\x80\xa2   Output\xe2\x80\x94files and reports generated by the application actually occur and\n                      accurately reflect the results of processing, and reports are controlled and\n                      distributed to the authorized users.\n\n                  In addition, general security controls and automated controls built into the\n                  operating system that support the application should also be considered.\n                  Weak controls that allow physical or logical access to the computers that\n                  store application data could be used to circumvent the controls established\n                  within the application itself.\n\n                  The Food Safety and Inspection Service (FSIS) is the public health agency in\n                  the U.S. Department of Agriculture (USDA) responsible for ensuring that the\n                  nation's commercial supply of meat, poultry, and egg products is safe,\n                  wholesome, and correctly labeled and packaged. The Performance Based\n                  Inspection System (PBIS) is a software application designed by FSIS to\n                  manage its Hazard Analysis and Critical Control Point (HACCP) assignment\n                  schedules, inspection procedures, and data reporting. PBIS is designed to use\n                  data entered by field inspectors and other district and State personnel, to\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                  Page 1\n\x0c                  create inspection schedules and maintain records of findings for reporting\n                  purposes. Further, data entered into PBIS is used by other critical\n                  management support systems such as FSIS\xe2\x80\x99 early warning system, which\n                  alerts FSIS officials of potential food-borne illness outbreaks.\n\n                  When it was first implemented in 1989, PBIS improved the uniformity and\n                  reporting of inspection activities. As the demands on meat and poultry\n                  inspection have grown, so have the demands on PBIS. Since its first\n                  implementation, PBIS has shifted from a paper-based system of data\n                  collection to the paperless system it is today. Using dial-up connections,\n                  inspectors receive their procedure schedules. Inspectors are also responsible\n                  for inputting their inspection results, also known as \xe2\x80\x9centering feedback,\xe2\x80\x9d and\n                  transmitting this information to headquarters on a regular basis. This process\n                  synchronizes, or replicates, the inspection findings from the local computer\n                  used by field inspectors to the PBIS national database, which resides in\n                  Washington, D.C. The following diagram explains how data flows within\n                  this distributed database:\n\n                                                     Master\n                                                    Database\n                                                  Washington D.C.\n                                                                              District Office\n                     Field Inspector                                            Database\n                       Computers\n                                                                            A high speed line\n                    At the inspector\xe2\x80\x99s                                      allows synchronization\n                    discretion, a dial-up                                   every 4 hours. It\n                    connection is used                                      transfers any changes\n                    to connect to the                                       made to records at the\n                    master database.                                        district office level,\n                    This process                                            and receives new or\n                    transfers entered or                                    changed data after any\n                    changed data                                            field inspector\n                    residing on the local                                   synchronization or\n                    database up to the                                      changes made at the\n                    master database.                                        National office level.\n                    The local database\n                    receives an updated\n                    inspection schedule\n                    and any changes to\n                    records made at the\n                    district or National\n                    office levels.\n\n\n\n                  In addition, field inspectors have the ability to enter noncompliance report\n                  (NR) records and analyze current and historical inspection results for all\n                  plans covered by their assignment.\n\nObjectives        Our objective was to determine whether FSIS had established adequate\n                  controls to ensure that data entered into PBIS are properly authorized and\n                  completely and accurately processed.\nUSDA/OIG-AUDIT/24501-1-FM                                                                     Page 2\n\x0cFindings and Recommendations\nSection 1.        Integrity of Data Input\n\n                               Input controls are perhaps the most critical of all application controls. It is\n                               this phase of the process that ensures only authorized, accurate, and complete\n                               data is entered into the application. Granting access to only authorized\n                               personnel, giving personnel only the level of access necessary to perform\n                               their job functions, and authorizing data before it is entered are all critical to\n                               ensuring the integrity of the data. We found that FSIS did not have effective\n                               controls in place to ensure that access to the PBIS system was controlled and\n                               that only authorized data and changes to that data were entered. While FSIS\n                               had implemented some access controls, those controls were not entirely\n                               effective to ensure the integrity of the PBIS data. This ultimately may affect\n                               FSIS\xe2\x80\x99 ability to adequately manage its inspection activities and to ensure that\n                               the nation's commercial supply of meat, poultry, and egg products is safe and\n                               wholesome.\n\n\nFinding 1                      Weak Access Controls Jeopardize Data Integrity\n\n                               FSIS had not established stringent physical or logical controls over access to\n                               PBIS data. This occurred because FSIS had not conducted a thorough risk\n                               assessment to identify weaknesses in its access controls. Despite the controls\n                               that FSIS had established, our review disclosed several physical and logical\n                               control weaknesses that, if exploited, could result in (1) fraudulent or\n                               malicious data being entered into PBIS, (2) data being removed from PBIS,\n                               or (3) data being inappropriately changed in PBIS. FSIS relies on PBIS data\n                               to conduct establishment trend analyses, generate alerts of potential food-\n                               borne illness outbreaks, and other inspection result analyses. The lack of data\n                               integrity could ultimately result in trends in unsanitary conditions in federally\n                               inspected establishments not being identified and corrected timely.\n\n                               The Department1 requires agencies to use individual user identifications (ID)\n                               and passwords to control access to systems processing personnel, financial,\n                               market-related, or other sensitive data. The Department also requires\n                               agencies to remove employee user accounts and passwords when the\n                               employee is no longer employed by the agency. Further, the Department2\n                               requires that systems be physically controlled and that only authorized users\n                               have access. The Office of Management and Budget (OMB) lists individual\n                               accountability as a primary mechanism for personnel security.3 It recognizes\n\n1\n  Departmental Manual (DM) 3140-1.6, \xe2\x80\x9cManagement ADP Security Manual,\xe2\x80\x9d part 6 of 8, Appendix D, Section 4.a.\n2\n  DM 3140-1, \xe2\x80\x9cManagement ADP Security Manual,\xe2\x80\x9d Section 14, \xe2\x80\x9cPhysical Security Standards,\xe2\x80\x9d dated July 19, 1984.\n3\n  OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d dated November 28, 2000.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                             Page 3\n\x0c                                   that accountability is normally accomplished by identifying and\n                                   authenticating users of the system and subsequently tracing actions on the\n                                   system to the user who initiated them. Finally, both the National Institute of\n                                   Standards and Technology (NIST)4 and OMB advocate implementation of\n                                   the \xe2\x80\x9cleast privilege\xe2\x80\x9d concept, granting users only the access required to\n                                   perform their duties.\n\n                                   Access controls over system and application data include both physical and\n                                   logical controls and should provide reasonable assurance that computer\n                                   resources (data files, application programs, and computer equipment) are\n                                   protected against unauthorized modification, disclosure, loss, or impairment.\n                                   Physical access controls, such as locked server room doors, ensure that only\n                                   authorized personnel can physically handle and perform maintenance on\n                                   network servers and other hardware. Logical access controls such as user\n                                   names, passwords, and access permissions, ensure that only authorized users\n                                   have access to network resources from their workstations, and that users are\n                                   granted only the access that is needed to conduct their job responsibilities.\n\n                                   PBIS is a distributed database system. Daily inspection results are entered\n                                   into the PBIS database residing on the individual field inspector\xe2\x80\x99s computer.\n                                   No dial-up connection to the central PBIS server is required to enter or alter\n                                   the information in the inspector\xe2\x80\x99s local computer. At his or her discretion,\n                                   the inspector uses a dial-up connection to the central server in Washington,\n                                   D.C., to synchronize, or replicate, all new or changed data entered since the\n                                   last transmission to the central server.\n\n                                   Given the highly distributed nature of the PBIS application, access controls\n                                   over PBIS data and the computers that store the data are FSIS\xe2\x80\x99 first defense\n                                   against unauthorized access and modification of inspection data. Without\n                                   strong physical and logical access controls over PBIS data input and update\n                                   capabilities, the integrity of the application data may be compromised.\n                                   Further, with the lack of logging and an audit trail (see Finding No. 3),\n                                   neither FSIS management nor the Office of Inspector General (OIG) could\n                                   validate whether appropriate changes were made to the PBIS data FSIS uses\n                                   for trend analysis and alerts of potential food-borne illnesses.\n\n                                   Restricted to Authorized Users\n\n                                   Our visits to ten establishments in two districts disclosed that FSIS computers\n                                   used for PBIS data entry were not physically protected to prevent access by\n                                   unauthorized individuals. FSIS had not established written policies on how\n                                   employees were to properly safeguard PBIS data. For example, at one\n                                   establishment, the computer resided in an office that opened into the\n                                   employee break room. While the FSIS office door had been locked after\n\n4\n    NIST Special Publication (SP) 800-12, \xe2\x80\x9cAn Introduction to Computer Security,\xe2\x80\x9d dated October 1995.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                  Page 4\n\x0c                                  normal business hours, we observed that the door was left unsecured while\n                                  the field inspector performed his duties. FSIS personnel would not have\n                                  known if establishment personnel had attempted to use the computer to enter,\n                                  modify, or delete inspection data during the field inspector\xe2\x80\x99s normal and\n                                  routine absences.\n\n                                  While FSIS had established certain controls over PBIS data such as unique\n                                  and separate user IDs and passwords for both the computer and the PBIS\n                                  system, our observations disclosed that these controls were inadequate to\n                                  ensure that data entry was restricted to only authorized users. Specifically,\n                                  passwords were not properly safeguarded, and passwords did not meet\n                                  established guidelines. At one district office, we found that the PBIS\n                                  administrators had their user IDs and passwords taped to the side of their\n                                  computer monitor. This note included their user ID and password for both\n                                  the computer and the PBIS application.\n\n                                  Additionally, password parameters in PBIS did not always meet departmental\n                                  or Office of the Chief Information Officer (OCIO) requirements. FSIS had\n                                  not established written password parameter requirements. For example:\n\n                                       \xe2\x80\xa2   Password age was set at 180 days from creation to expiration.\n                                           Departmental regulations5 state that the maximum life for passwords\n                                           on interactive systems, like PBIS, is no more than 90 days.\n\n                                       \xe2\x80\xa2   Passwords were set at five characters. Current guidance issued by the\n                                           OCIO requires the use of at least eight characters.\n\n                                       \xe2\x80\xa2   While the user ID appropriately locked after three unsuccessful\n                                           attempts, the lock out duration was only 60 seconds. OCIO guidance\n                                           states that the account should be locked \xe2\x80\x9cforever,\xe2\x80\x9d that is, until\n                                           unlocked by a system administrator.\n\n                                       \xe2\x80\xa2   FSIS had not maintained online access logs, detailing the user ID and\n                                           time of access for each connection to PBIS as required by\n                                           departmental regulations.6\n\n                                  Further, we observed inspectors in five different establishments who would\n                                  log into the computer and the PBIS application in the morning and remain\n                                  logged in all day. Users had not manually logged out of PBIS during\n                                  absences from the computer and PBIS did not have a feature to automatically\n                                  log the user off for inactivity. As a result, any security protection provided\n                                  by the establishment of user IDs and passwords was bypassed. We further\n\n\n5\n    DM 3140-1, Appendix D, paragraph 6b, dated July 19, 1984.\n6\n    DM 3140-1, Appendix D, paragraph 5, dated July 19, 1984.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                Page 5\n\x0c                  observed that password-protected screen savers on the systems that store\n                  PBIS data did not activate or allowed excessive time to lapse before locking\n                  access to the computer.\n\n                  FSIS management further informed us that one additional control they\n                  established was that the dial-up connections, used to transfer inspection data\n                  to the main server, automatically timed-out after a short period of inactivity.\n                  While our tests confirmed that dial-up time-out settings were not consistently\n                  set and in some cases not set at all, this control is not effective in ensuring\n                  data integrity. Given the distributed nature of the PBIS data, access to the\n                  dial-up connection and central server would not be necessary to enter\n                  fraudulent or malicious information into the data stream. Simply entering or\n                  altering information on the field inspector\xe2\x80\x99s computer would be sufficient for\n                  the information to be entered or modified, ultimately jeopardizing the\n                  integrity of the master PBIS database.\n\n                  Restricted to Authorized Purposes\n\n                  PBIS had not properly restricted authorized users as to what data they could\n                  enter. Specifically, we found that PBIS users were segregated into six user\n                  levels; consolidated, district, circuit supervisor, relief inspector, in-plant\n                  inspector, and compliance personnel. According to FSIS management, each\n                  user level had a different functionality in each input screen of PBIS. For\n                  example, the \xe2\x80\x9cin-plant inspector\xe2\x80\x9d level was locked out of the \xe2\x80\x9cApplicant\xe2\x80\x9d tab\n                  so those users could not change an establishment\xe2\x80\x99s name or grant date.\n                  Further, each computer used to access PBIS was limited in what\n                  establishment data could be accessed, limiting employees\xe2\x80\x99 ability to access\n                  inspection data pertaining to establishments not under their control.\n\n                  While we agree that these were good first steps in controlling inappropriate\n                  access, these controls were not adequate by themselves. Our review of the\n                  user levels for individuals in district offices disclosed that all employees in\n                  the district office, from secretaries to managers, had the same user level\n                  associated with their user ID and had the same access authorizations in PBIS.\n                  For instance, in one district office we visited, only two individuals had the\n                  job responsibility of resetting passwords for all district personnel; however,\n                  all employees in that office had the ability to reset any district office\n                  employee\xe2\x80\x99s password. In addition, one district office employee who required\n                  read-only access had the ability to enter, delete, and alter information in\n                  PBIS.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                 Page 6\n\x0cRecommendation No. 1\n\n                  Establish policies and implement stronger controls, in accordance with\n                  departmental and Federal guidelines, in PBIS and the systems on which PBIS\n                  data reside to ensure that access is restricted to only authorized users and that\n                  legitimate users have access to only that information needed to perform their\n                  job functions.\n\n                  Agency Response. FSIS has fully deployed Windows XP on all Federal\n                  inspectors\xe2\x80\x99 computers. Access requirements on computers with Windows XP\n                  meet departmental guidelines for password aging, length, etc. Several of the\n                  computers in the field that the OIG examined contained the Windows 95\n                  operating system, which was not as secure as XP. Additionally, FSIS\n                  implemented mandatory online security awareness training for all users of\n                  computers. This training provides specific guidance on system security\n                  vulnerabilities, including methods for safeguarding passwords. Employees\n                  were required to complete the security awareness training by October 25,\n                  2004.\n\n                  Additionally, FSIS will develop a written policy on PBIS access control to\n                  limit and restrict access to PBIS data to only authorized users. The access\n                  control policy will ensure that guidance is provided on safeguarding\n                  passwords and that passwords meet departmental requirements. FSIS will\n                  issue this policy by January 2005.\n\n                  OIG Position. We concur with FSIS\xe2\x80\x99 actions to upgrade user systems,\n                  establish formal access control policies, and provide users security awareness\n                  training; however, we reported access controls throughout the PBIS system,\n                  not just with user workstations. For instance, the PBIS application contained\n                  only a few user categories (i.e., profiles) that did not sufficiently limit users\xe2\x80\x99\n                  abilities to access and update data consistent with their job responsibilities.\n                  In order to reach management decision FSIS needs to provide us timeframes\n                  for reviewing access controls throughout the PBIS infrastructure and ensure\n                  that adequate controls are put in place to limit access to PBIS data in\n                  accordance with NIST and departmental policy and the least privilege\n                  principle.\n\n\nFinding 2         Inconsistent Data Entry and Lack of Data Authorization and\n                  Validation Impacts PBIS Reliability\n\n                  FSIS personnel had not consistently entered data into the PBIS system. This\n                  occurred because FSIS had not established formal policies or procedures on\n                  how data should be entered, or ensured that all field personnel, who are\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                    Page 7\n\x0c                                 ultimately responsible for data entry, were appropriately trained in how to\n                                 enter data into PBIS. Further, FSIS relied heavily on field inspectors to\n                                 ensure the validity of the data entered into PBIS, which is used by FSIS\n                                 management to manage their HACCP program. As a result, FSIS may not be\n                                 able to conduct meaningful analysis to identify trends in unsanitary\n                                 conditions or respond to PBIS data to report on the accurate operating status\n                                 of processing establishments.\n\n                                 The Department7 requires agencies to build application controls to prevent\n                                 unauthorized access to data files; design and write applications to compare\n                                 input controls with data, ensure the correct selection of files and validation of\n                                 data, and protect the records associated with automated decision-making\n                                 applications. In addition, NIST8 requires that data be validated during\n                                 collection and entry prior to use by the system.\n\n                                 Inconsistency in Data Entry\n\n                                 We observed that data entered into PBIS varied widely among the numerous\n                                 field inspectors we visited. FSIS had not established formal policies on how\n                                 data needs to be entered into PBIS. Further, numerous FSIS personnel\n                                 informed us (and a lack of training documentation confirmed) that field\n                                 inspectors and field supervisors had not been adequately trained on using\n                                 PBIS. As a result, trend analyses and sanitation alerts based on PBIS data\n                                 may be unreliable.\n\n                                 When FSIS field inspectors identify an unsanitary condition or other issue of\n                                 noncompliance, the field inspector is required to enter the noncompliance in\n                                 PBIS, creating a NR. Once finalized, the NR data is locked in PBIS to\n                                 prevent changes. The NR should then be printed out and provided to the\n                                 establishment management for their signature and a description of what\n                                 corrective action they are taking to correct the problem and prevent\n                                 recurrence. According to FSIS procedures, once the corrective actions have\n                                 been completed, the NR should then be flagged as closed in PBIS.\n\n                                 However, during our visits to 10 processing establishments, we observed that\n                                 FSIS inspectors exercised their judgment on when to lock and close NR\n                                 records.9 While most inspectors we visited locked NR records appropriately,\n                                 one field inspector had never locked an NR record until we brought this to\n                                 the attention of the field supervisor and district office personnel. Since the\n                                 inspector had never closed an NR, the establishment management had signed\n\n7\n  DM 3140-1, \xe2\x80\x9cManagement ADP Security Manual,\xe2\x80\x9d Section 17, \xe2\x80\x9cApplication System Development,\xe2\x80\x9d dated July 19, 1984.\n8\n  National Bureau of Standards (predecessor agency to NIST) Federal Information Processing Standards Publication 73, \xe2\x80\x9cGuidelines for\nSecurity of Computer Applications,\xe2\x80\x9d dated June 30, 1980. The Federal Information Security Management Act of 2002 gives NIST the\nauthority to establish security requirements for Federal information systems.\n9\n  FSIS has programmed PBIS to flag NR records as \xe2\x80\x98final\xe2\x80\x99 which effectively locks the record to prevent changes. Once the establishment\naddresses the unsanitary conditions that were noted in the NR, the NR record is flagged as \xe2\x80\x98closed.\xe2\x80\x99\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                    Page 8\n\x0c                  draft, not final, NR reports. The inspector informed us that he was never\n                  informed that he had to finalize, or lock, the NR. According to FSIS\n                  procedures, FSIS could not use draft NR reports as a justification for\n                  suspending inspection activities for unsanitary conditions.\n\n                  We observed that FSIS inspectors\xe2\x80\x99 processes were even less consistent when\n                  it came to closing an NR record. We found instances where field inspectors\n                  closed NR records:\n\n                     \xe2\x80\xa2   When the NR was presented to or signed by establishment\n                         management even if no action was taken to correct the deficiency;\n\n                     \xe2\x80\xa2   only after the immediate cause of adulteration or contamination was\n                         eliminated, even if long-term preventative corrective action agreed to\n                         by the establishment had not yet been implemented; or\n\n                     \xe2\x80\xa2   after all immediate and long-term corrective actions had been taken.\n\n                  FSIS\xe2\x80\x99 procedures recognize that the timeliness of corrective actions to\n                  noncompliance issues is an indication of whether continued adulteration or\n                  contamination may recur. Due to the inconsistent data entry, FSIS\n                  management would not have been able to use the NR record closed date\n                  recorded in PBIS to accurately evaluate whether processing establishments\n                  had made corrections to sanitation problems in a timely manner.\n\n                  We also evaluated FSIS\xe2\x80\x99 controls over suspending inspection activities.\n                  Inspectors used the PBIS \xe2\x80\x9csuspend\xe2\x80\x9d code to indicate that the mandatory\n                  inspections were being temporarily suspended due to custom slaughter or if a\n                  processing line was down for repair or upgrade, resulting in no inspections\n                  being scheduled by PBIS. However, other inspectors used the \xe2\x80\x9csuspend\xe2\x80\x9d\n                  code to indicate that FSIS inspectors were being withdrawn from the\n                  establishment due to the conditions in the plant and establishment\xe2\x80\x99s\n                  continued ineffective corrective actions. Therefore, FSIS management may\n                  not be able to rely on PBIS data to accurately report those establishments that\n                  had inspection activities suspended due to sanitation violations.\n\n                  We attribute the inconsistent data entry, in part, to FSIS not having provided\n                  effective training to field inspectors. We found that only 1 of the 12 field\n                  inspectors and field supervisors we interviewed had received training. One\n                  inspector indicated that the extent of the training received included only how\n                  to turn on the computer, start the program, and enter the user ID and\n                  password. Another field inspector received an automated tutorial that she\n                  was never required to complete. The remaining 10 field inspectors and field\n                  supervisors indicated that they were simply provided with the application, a\n                  user\xe2\x80\x99s manual, and a computer.\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                 Page 9\n\x0c                  The lack of consistent coding of NR records and suspended establishments\n                  reduces the effectiveness of FSIS\xe2\x80\x99 analysis of PBIS data.\n\n                  Lack of Authorization or Second Party Review\n\n                  FSIS had not implemented adequate controls to ensure that only authorized\n                  and complete data was entered and maintained in the PBIS system. FSIS\n                  officials relied on field inspectors to ensure that only authorized data was\n                  entered into the system, and therefore have not implemented controls over the\n                  authorization of data or second-party review process. This condition is more\n                  critical considering the weak access control issues we identified in Finding\n                  No. 1. As a result, FSIS management cannot ensure that only complete and\n                  accurate data is being used to manage its inspection activities.\n\n                  Historically, FSIS maintained paper documents as evidence of its inspection\n                  activities. These paper documents were ultimately entered into the system\n                  and served as a supporting basis for the data that was entered. If necessary,\n                  FSIS could use the documents to verify that the data entered into the system\n                  was accurate and complete by performing reconciliations or verifications\n                  between system data and paper documents. In paperless applications, like the\n                  current version of PBIS, controls such as those noted throughout this report\n                  need to be established to ensure the integrity of the data entered into the\n                  system.\n\n                  FSIS officials informed us that field supervisors ensure that the inspection\n                  activities are conducted properly and that inspection results are entered into\n                  PBIS by conducting site visits to inspectors in their circuit. However, the\n                  frequencies of field supervisor visits to inspectors varied widely by\n                  supervisor and circuit, ranging from one visit a month to one visit a quarter.\n                  Because PBIS is a paperless system, it is impractical for supervisors to verify\n                  the accuracy of inspection reports during their visits.\n\n                  Field inspectors are solely responsible for gathering and entering the results\n                  of their inspections without supervisory or independent review or approval.\n                  Further, FSIS is not conducting reconciliations of the data with expected\n                  results. Once the information is entered, PBIS accepts and processes all\n                  inspection results entered, using the data for trend analyses and indications of\n                  potential outbreaks of food-borne illnesses.\n\nRecommendation No. 2\n\n                  Establish a policy on how data is to be entered into PBIS, and implement\n                  controls to ensure that all PBIS users are provided adequate training on how\n                  to enter and control data in the PBIS database.\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                 Page 10\n\x0cRecommendation No. 3\n\n                                Establish a policy and implement controls to provide reasonable\n                                assurance that only authorized and allowable data is entered into PBIS.\n\n                                Agency Response. To bolster the users\xe2\x80\x99 understanding of entering data\n                                into PBIS, FSIS will issue a policy that provides instructions on when certain\n                                inspection information should be entered into the system. Also, FSIS plans\n                                to integrate the PBIS user\xe2\x80\x99s guide as an online reference guide to further\n                                assist the users. In its release of PBIS version 5.1, the online help capability\n                                will assist inspection personnel in understanding how information should be\n                                entered into the system. In addition, FSIS\xe2\x80\x99 Center for Learning will\n                                coordinate with the Office of Field Operations and the Chief Information\n                                Officer to provide PBIS 5.1 training.\n\n                                FSIS expects to release PBIS version 5.1 by January 2005. FSIS will issue\n                                its policy document by March 2005.\n\n                                OIG Position. We concur with FSIS\xe2\x80\x99 management decision on these\n                                recommendations.\n\n\n Finding 3                      Changes to PBIS Data Not Adequately Controlled\n\n                                Changes to existing PBIS data can be made without authorization and\n                                validation. FSIS management relies on field inspectors for all data input and\n                                assurance of data integrity. FSIS had not implemented automated controls to\n                                ensure that changes made to PBIS data were tracked and logged. As a result,\n                                FSIS management could not be assured that PBIS data is reliable or\n                                supportable.\n\n                                NIST10 requires that data be validated during collection and entry. NIST\n                                further recognizes that the process of correcting errors in data is prone to\n                                contribute further errors and should be validated throughout the process. In a\n                                prior audit,11 we reported that FSIS had not implemented a formal process for\n                                its database administrators to follow when making changes to the various\n                                databases maintained by its headquarters staff. We also found that numerous\n                                individuals had database administrative authority. In its response, FSIS\n\n\n\n\n10\n   National Bureau of Standards (predecessor agency to NIST) Federal Information Processing Standards Publication 73, \xe2\x80\x9cGuidelines for\nSecurity of Computer Applications,\xe2\x80\x9d dated June 30, 1980.\n11\n   Audit Report No. 24099-1-FM, \xe2\x80\x9cSecurity Over the Information Technology Resources at the Food Safety and Inspection Service,\xe2\x80\x9d\ndated August 11, 2003.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                  Page 11\n\x0c                                     stated that it had created a Change Control Board to oversee system changes,\n                                     and would review the access levels of those individuals with administrative\n                                     access to its databases.\n\n                                     At the 10 establishments visited, we observed that anyone with access to the\n                                     field inspector\xe2\x80\x99s local computer could change inspection data, regardless of\n                                     who entered the data. For example, the field supervisor could change the\n                                     results of inspections for establishments in his or her circuit, even if the field\n                                     inspector entered the results. Additionally, FSIS did not program PBIS to\n                                     maintain a justification for why the change was made. Further, the updated\n                                     data overwrites the original on the local computer, and is replicated to the\n                                     master database in Washington, D.C., the next time synchronization12 takes\n                                     place.\n\n                                     Discussions with field supervisors disclosed that changes had been routinely\n                                     made to the data originally entered by the field inspectors. This occurred\n                                     despite the fact, as mentioned in Finding No. 2, that paper evidence of\n                                     inspections is not maintained to validate the accuracy of changes. Further,\n                                     the field supervisors did not have documentary evidence that the changes\n                                     were necessary. One field supervisor informed us that he had accidentally\n                                     over written the results of his subordinates\xe2\x80\x99 inspection activities on more than\n                                     one occasion. We were unable to verify whether data was missing due to\n                                     accidental deletion because (1) the lack of original source documents and (2)\n                                     the lack of built-in controls to prevent or detect accidental modification or\n                                     deletion of data.\n\n                                     For NR records that had been locked (see Finding No. 2), PBIS required an\n                                     unlock code to make changes. Field inspectors and field supervisors are\n                                     required to contact the district office to obtain an unlock code. However, we\n                                     found that the district office personnel who issued the unlock codes did not\n                                     ask for a justification or documentation of the changes. In addition, logs of\n                                     the unlock codes were not maintained.\n\n                                     Finally, there were ineffective controls established to confirm or validate\n                                     changes to NR records before being uploaded to the master database. The\n                                     PBIS administrative assistants at the two district offices we visited informed\n                                     us that they confirmed that changes were made to unlocked NR records, but\n                                     they did not substantiate whether or not the change was appropriate or\n                                     accurate. Additionally, the PBIS central server will accept and process the\n                                     data regardless of whether the district office had confirmed the change.\n\n\n\n\n12\n     Synchronization is the process where data stored on the local field inspector\xe2\x80\x99s computer is uploaded, or copied, to the master server.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                           Page 12\n\x0cRecommendation No. 4\n\n                  Establish a policy and implement controls to (1) limit changes to PBIS data,\n                  (2) require adequate justification be maintained when changes are necessary,\n                  and (3) require that all changes to PBIS data be logged.\n\n                  Agency Response. Information in PBIS can be generally categorized as\n                  incidents and profiles. Incidents describe events occurring at a discrete point\n                  in time, for example, inspections, noncompliance reports, etc. All these occur\n                  daily throughout FSIS. On the other hand, profile data is more static in\n                  nature and is not based on time or an event. Examples include Establishment\n                  Profiles, Circuit structure, District Staffing information, etc. While the\n                  information can (and does) change periodically, it\xe2\x80\x99s not usually changing\n                  daily. FSIS has established an information technology (IT) work group that\n                  is exploring the need for locking certain types of data in the system based on\n                  the classification of the information as either an incident or profile type.\n\n                  Currently, PBIS maintains a transaction history log that tracks changes made\n                  in the system, and the users who made them. Enclosure 1 contains a\n                  transaction history report for the period October 17-22, 2004.\n\n                  OIG Position. We agree that data in PBIS is subject to periodic and\n                  necessary change. However, we observed several instances where data in\n                  PBIS was changed without justification, without second party review, or\n                  without being adequately tracked in the event that a change was made\n                  inappropriately. If FSIS maintained paper documentation to support and\n                  verify changes made in the database, these controls may not be needed;\n                  however, the paperless environment in which PBIS data is entered requires\n                  more stringent controls to ensure the appropriateness of changes. To reach\n                  management decision, FSIS needs to provide us its plan and timeframes for\n                  reviewing how PBIS changes will be limited, justified, and thoroughly\n                  logged.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                Page 13\n\x0cSection 2. Data Completeness and Timeliness Critical for Effective Management\n\n\n\n\nFinding 4                       PBIS Data Not Complete or Timely\n\n                                FSIS was not using complete, or the available up-to-date PBIS data to\n                                conduct trend analyses. This occurred because field inspectors were not\n                                required to synchronize their local systems with the master database on a\n                                daily basis. Further, FSIS Headquarters personnel prepared management\n                                reports from backup PBIS data that was a week old. Field inspectors did not\n                                synchronize due to the slow and sometime inconvenient process of using\n                                dial-up access to the central server. FSIS officials informed us that preparing\n                                management reports from the central server database would cause too much\n                                activity on the master server. As a result, FSIS\xe2\x80\x99 analytical procedures may\n                                not accurately reflect true conditions in an establishment and may fail to\n                                timely identify a problem establishment.\n\n                                NIST13 requires that data be validated during collection and entry prior to use\n                                by the system to ensure data is accurate, complete, consistent, unambiguous,\n                                and reasonable. Validation checks play a significant role in ensuring that\n                                data is complete.\n\n                                After completing an inspection, field inspectors enter the results into the\n                                database residing on their local computers. The data resides on that local\n                                computer until the field inspector manually selects the PBIS feature to\n                                synchronize (replicate) any new and updated data from the local computer to\n                                the central PBIS server in Washington, D.C. This central PBIS server is used\n                                to alert FSIS officials at both the national and district level of potentially\n                                serious sanitation trends, and is used by FSIS officials to conduct trend\n                                analyses on inspection results. Without complete and up-to-date inspection\n                                results, these projections and trend analyses are based on incomplete results\n                                and may not accurately reflect the conditions in an establishment and may\n                                fail to identify a problem establishment. The timeliness and completeness of\n                                PBIS data is critical to the effective management of FSIS inspection\n                                activities.\n\n                                Data Synchronization\n\n                                PBIS maintains the last synchronization date for every registered computer.\n                                Our review of all 3,660 computers registered in PBIS on March 19, 2004,\n                                disclosed that 1,072 (29 percent) had not synchronized within at least 3 days\n\n13\n  National Bureau of Standards (predecessor agency to NIST) Federal Information Processing Standards Publication 73, \xe2\x80\x9cGuidelines for\nSecurity of Computer Applications,\xe2\x80\x9d dated June 30, 1980.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                 Page 14\n\x0c                  from the date of our analysis. Of those, 623 (17 percent) had not\n                  synchronized for 7 days or more. Therefore, FSIS was using incomplete data\n                  to identify sanitation trends and manage its inspection activities.\n\n                  FSIS Headquarters personnel monitor PBIS reports that show computers that\n                  have not synchronized in 45 days. Our review of one such report, dated\n                  February 27, 2004, disclosed that there were 63 computers, of which only 7\n                  (11 percent) synchronized when the user was informed that they needed to\n                  synchronize. FSIS is supposed to remove systems from PBIS if they do not\n                  synchronize timely. However, we found that three computers were not\n                  eliminated from PBIS even though they appeared on this listing, and two\n                  computers appeared on two subsequent reports. Additionally, FSIS has no\n                  formal policy dictating how often the field inspectors should be\n                  synchronizing with the central server. Further, while reports are available in\n                  PBIS for district office managers to monitor synchronization, there is no\n                  formal requirement to run this report or instructions on what followup actions\n                  need to be taken.\n\n                  Database Record Serial Numbers Not Tracked During Data Synchronization\n\n                  In addition to the lack of controls requiring field inspectors to synchronize\n                  their local data with the PBIS master database, PBIS lacked adequate controls\n                  to ensure that complete synchronization occurs. Each database record in\n                  PBIS is assigned a unique serial number. FSIS officials informed us that the\n                  main purpose of this number was intended to ensure that duplicate data is not\n                  entered into the master database and that the data is complete. However,\n                  PBIS did not have an automated process to verify that all database record\n                  serial numbers are accounted for during processing.\n\n                  For instance, a field inspector could delete a record in their local database\n                  prior to synchronizing with the master database. Instead of maintaining a\n                  record that the database record once existed, PBIS simply removes the\n                  database record from the database. When field inspectors synchronized their\n                  local database with the master PBIS database, PBIS did not provide a\n                  warning message or produce an error report signaling the missing number in\n                  the sequence. As a result, FSIS has limited assurance that all data transmitted\n                  was appropriately synchronized from the local computer into the central\n                  server.\n\nRecommendation No. 5\n\n                  Implement a policy and establish controls to ensure that field inspectors\n                  synchronize inspection results daily and that all database records are\n                  accounted for during synchronization.\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                Page 15\n\x0cRecommendation No. 6\n\n                  Implement a policy and establish controls to ensure that management reports\n                  and data analyses are generated from the most up-to-date data available.\n\n                  Agency Response. FSIS is able to utilize data effectively from PBIS\n                  when the database is synchronized less frequently than daily. Guidance has\n                  been provided in the PBIS users\xe2\x80\x99 guide for inspection program personnel to\n                  conduct daily synchronization. FSIS will determine whether the guidance\n                  provided in the PBIS users\xe2\x80\x99 guide should be updated. FSIS will issue a\n                  policy and update the PBIS user\xe2\x80\x99s guide, if necessary, establishing the time\n                  requirements for synchronization.\n\n                  FSIS will issue a policy on time requirements for PBIS synchronization by\n                  March 2005.\n\n                  OIG Position.    We concur with FSIS\xe2\x80\x99 management decision on\n                  Recommendation No. 5.\n\n                  Recommendation No. 6 also addressed FSIS\xe2\x80\x99 process of producing\n                  management reports using the PBIS backup server, which is typically 2\n                  weeks behind the live data. This time lag, in addition to the synchronization\n                  issues addressed in Recommendation No. 5, raise questions about the\n                  timeliness and reliability of the data on management reports. In order to\n                  reach management decision, FSIS needs to provide us with its plan and\n                  timeframes for reviewing the timeliness and reliability of PBIS management\n                  reports in performing its mission and taking any necessary actions resulting\n                  from its review.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                              Page 16\n\x0cSection 3.           General Controls over System Security and Development Need\n                     Strengthening\n\n                                   The confidentiality, integrity, and availability of any application depends not\n                                   only on the controls built into the application itself, but also on the\n                                   underlying hardware, operating system, and network on which the application\n                                   resides. Without effective physical and logical controls over network\n                                   resources and correcting operating system vulnerabilities, controls written\n                                   into an application may be circumvented.\n\n\n\n\nFinding 5                         System Configuration and Vulnerabilities\n\n                                   We found several vulnerabilities in the operating systems used to operate the\n                                   PBIS system and the firewalls that protect those systems. FSIS management\n                                   was not vigilant in identifying or correcting network vulnerabilities, and was\n                                   still in the process of configuring its firewall rules. As a result, the integrity\n                                   of PBIS data is at risk since these weaknesses may allow the controls built\n                                   into the PBIS application to be circumvented.\n\n                                   OMB Circular A-130 requires agencies to assess the vulnerability of\n                                   information system assets, identify threats, quantify the potential losses from\n                                   threat realization, and develop countermeasures to eliminate or reduce the\n                                   threat or amount of potential loss. Further, the Department OCIO has\n                                   established a policy14 that requires agencies regularly scan their systems for\n                                   known vulnerabilities using a Department-purchased vulnerability scanning\n                                   tool. Finally, NIST has published guidelines on the effective implementation\n                                   of firewalls in Federal agency network environments.15\n\n                                   Transmission Control Protocol/Internet Protocol (TCP/IP) Vulnerabilities\n\n                                   We used a commercially available software tool that identifies vulnerabilities\n                                   in network components that use the TCP/IP protocol (the protocol used on\n                                   the public Internet). We found that FSIS had been using the same\n                                   vulnerability assessment tool to periodically scan its network and correct\n                                   vulnerabilities identified. We also found few vulnerabilities on FSIS\xe2\x80\x99\n                                   network routers and switches, which indicates adequate configuration\n                                   management over those devices.\n\n                                   Our assessment, however, discovered a number of vulnerabilities on the\n                                   server that FSIS uses as a backup server and the two state servers we\n\n14\n     \xe2\x80\x9cCyber Security Manual,\xe2\x80\x9d DM 3500-2, Chapter 6, Part 1, dated April 4, 2003.\n15\n     NIST SP 800-41, \xe2\x80\x9cGuidelines on Firewalls and Firewall Policy,\xe2\x80\x9d dated January 2002.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                   Page 17\n\x0c                                  scanned. FSIS had not conducted scans of these systems as vigorously as\n                                  they did on the main PBIS database server. One of the most vulnerable\n                                  weaknesses on the systems we scanned was the ability to easily identify user\n                                  IDs on those systems. This vulnerability provides a malicious user the\n                                  information needed to conduct a brute force password attack and gain entry\n                                  into those systems and potentially the entire network.\n\n                                  Firewall Rules\n\n                                  FSIS had not maintained its firewall in accordance with departmental16 and\n                                  NIST guidelines.17 FSIS was still in the process of configuring its firewall\n                                  rules when we performed our review. We found that FSIS had incorrectly\n                                  entered firewall rules giving thousands of IP addresses the ability to pass\n                                  through the firewall. Our analysis of FSIS\xe2\x80\x99 firewall rules also revealed that\n                                  several rules were either no longer needed, were redundant, or were not\n                                  configured in the best interest of network security. For example, we found\n                                  rules that allowed certain access using unsecured TCP/IP protocols to all\n                                  systems behind the firewall rather than limiting that access to only certain\n                                  systems.\n\nRecommendation No. 7\n\n                                  FSIS should establish and implement procedures to ensure that all operating\n                                  systems are configured in accordance with departmental guidance and\n                                  vigilantly identify and fix TCP/IP vulnerabilities on all of its systems and\n                                  network devices.\n\n                                  Agency Response. FSIS will establish and implement procedures to\n                                  ensure that all operating systems are configured in accordance with\n                                  departmental guidance and identify and fix TCP/IP vulnerabilities on all of\n                                  it\xe2\x80\x99s systems and network devices. FSIS will establish procedures by April\n                                  2005.\n\n                                  OIG Position. We concur with FSIS\xe2\x80\x99 management decision on this\n                                  recommendation.\n\nRecommendation No. 8\n\n                                  FSIS should establish and implement procedures to ensure that its firewall\n                                  configuration is configured and maintained in accordance with NIST\n                                  guidance.\n\n\n\n16\n     USDA OCIO Cyber Security Policy CS-012, \xe2\x80\x9cGateway and Firewall Technical Security Standards,\xe2\x80\x9d dated January 18, 2002.\n17\n     NIST SP 800-41, \xe2\x80\x9cGuidelines on Firewalls and Firewall Policy,\xe2\x80\x9d dated January 2002, page 47/74.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                   Page 18\n\x0c                               Agency Response. FSIS will establish and implement procedures to\n                               ensure that its firewall configuration is configured and maintained in\n                               accordance with NIST guidance. FSIS will establish firewall procedures by\n                               April 2005.\n\n                               OIG Position. We concur with FSIS\xe2\x80\x99 management decision on this\n                               recommendation.\n\n\nFinding 6                     Lack of Security Planning and Segregation of Duties Jeopardizes\n                              the Continued Operation of PBIS\n\n                               FSIS had not documented the PBIS system and had not established adequate\n                               segregation of duties regarding system development. Despite departmental\n                               requirements to document major applications during the system development\n                               cycle, FSIS officials informed us that they did not document their system due\n                               to other priorities. FSIS officials informed us that it was more important to\n                               get the application operational than it was to document its processes. As a\n                               result, FSIS cannot ensure that the PBIS system will continue to operate in\n                               the event of a disaster, major service disruption, or staff turnover. Further,\n                               without controls over system development, FSIS could not ensure the\n                               integrity of the PBIS data used to manage its inspection activities, conduct\n                               trend analysis, and alert FSIS management and consumers of potential\n                               sanitation violations.\n\n                               The foundation for security over IT resources is found in OMB Circular\n                               A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information\n                               Resources.\xe2\x80\x9d This Circular establishes a minimum set of controls for\n                               agencies\xe2\x80\x99 automated information security programs, including certifying to\n                               the security of any systems that maintain sensitive data, establishing\n                               contingency plans and recovery procedures in the event of a disaster, and\n                               establishing a comprehensive security plan. Further, DM 3140-1 requires\n                               that documentation be prepared and maintained throughout the entire system\n                               development lifecycle. Finally, Federal Information Processing Standards\n                               Publication 73 provides guidance for separation of system development,\n                               testing, and daily operation functions.\n\n                               Lack of System Security Planning\n\n                               FSIS has not prepared security plans, risk assessments, or disaster recovery\n                               plans for the PBIS system as required by departmental regulations, OMB A-\n                               130, and NIST. In a prior audit,18 we reported that FSIS had not prepared\n\n18\n  Audit Report No. 24099-1-FM, \xe2\x80\x9cSecurity Over the Information Technology Resources at the Food Safety and Inspection Service,\xe2\x80\x9d\ndated August 11, 2003.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                           Page 19\n\x0c                  security plans for its major applications and general support systems or\n                  ensured that its major applications were certified and accredited. The\n                  certification and accreditation process helps ensure that adequate security\n                  planning and operational guidelines and procedures are in place and\n                  operating effectively. In response to that audit, FSIS informed us that it\n                  would have all its major applications certified and accredited by June 2003;\n                  however, FSIS had only just begun this process during our fieldwork in early\n                  calendar year 2004.\n\n                  OMB Circular A-130 states that all major applications and general support\n                  systems containing sensitive information require protection to assure its\n                  integrity, availability, or confidentiality; and therefore, require security plans.\n                  Security plans should define who has responsibility for system security, who\n                  has authority to access the system, appropriate limits on interconnectivity\n                  with other systems, and security training for individuals authorized to use the\n                  system. Without security plans in place, FSIS is ill prepared to establish\n                  effective and comprehensive security over its systems and networks.\n\n                  Risk assessments, as defined by NIST, are a systematic approach to assessing\n                  the vulnerability of information system assets; identifying threats, quantifying\n                  the potential losses from threat realization; and developing countermeasures\n                  to eliminate or reduce the threat or amount of potential loss. Until these risk\n                  assessments are completed, FSIS cannot be reasonably assured that all the\n                  risks attributable to PBIS have been considered and that appropriate steps\n                  have been taken to mitigate these risks. In our opinion, many of the risks\n                  associated with the PBIS system mentioned in this report would have been\n                  identified had a formal risk assessment been conducted.\n\n                  We also found that FSIS is not fully prepared to respond in the event of a\n                  disaster or major disruption, and cannot be assured that vital PBIS data\n                  needed to support the management of its inspection program will be available\n                  without excessive disruption. One of the most critical weaknesses we found\n                  was that FSIS stores its master database server and two other servers that\n                  contained backup PBIS data in the same room. Further, FSIS does not\n                  backup the master server on tape or other portable media and have the media\n                  sent offsite in the event of a disaster or major disruption. FSIS officials were\n                  not concerned with these issues because every district office synchronizes\n                  with the master database every 4 hours. FSIS officials informed us that the\n                  worst-case scenario would be that they would have to recreate the master\n                  database from the district office data. If this occurred, FSIS could lose up to\n                  4 hours of data from every district, thereby causing its analysis of PBIS data\n                  to be incomplete and inaccurate.\n\n                  During our fieldwork, FSIS had begun to certify and accredit its major\n                  applications. FSIS had prepared a statement of work to begin this process,\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                   Page 20\n\x0c                  which would include conducting a risk assessment, preparing security plans,\n                  and establishing a disaster recovery plan.\n\n                  Inadequate Segregation of Duties Over System Development and\n                  Maintenance\n\n                  In Finding No. 1, we reported that FSIS had not programmed PBIS to\n                  effectively limit access by employees to only the data and access capabilities\n                  needed to perform their job duties. In addition, FSIS had not established\n                  segregation of duties controls over system development and maintenance.\n                  FSIS had one person in charge of developing, programming, testing the PBIS\n                  system, and moving tested code into the production environment. Each of\n                  these functions should be separated to ensure that only authorized changes\n                  are made to applications, that the application is fully tested, and that only\n                  approved and tested code enter the production environment. In addition the\n                  one FSIS employee also had complete control to add, delete, and modify any\n                  production information in the PBIS master database.\n\nRecommendation No. 9\n\n                  FSIS should document the application, data flow, and data elements of the\n                  PBIS system to provide the foundation of operational and security planning,\n                  and ensure the continual operation of the system in the event of a disruption\n                  of service or turnover in staff.\n\n                  Agency Response. FSIS agrees that system documentation to assure the\n                  continuity of operation of the PBIS is important. FSIS will follow the\n                  Department\xe2\x80\x99s standard System Development Life Cycle (SDLC) process for\n                  documenting its information systems. A standard SDLC, in accordance with\n                  Department requirements, will be adopted for all new major system\n                  development and modifications. FSIS will utilize a contractor to document\n                  the SDLC currently being used. The SDLC will be used on all new major\n                  system development and modifications. The SDLC will include a security\n                  study, feasibility study, requirements study, requirements definition, detailed\n                  design, programming, testing, installation, and post implementation review.\n                  A contract to document the SDLC for all new major systems and\n                  modifications will be awarded by November 2004.\n\n                  In the meantime, documentation of PBIS version 5.1 will be completed by\n                  September 2005 to address a similar issue identified in the certification and\n                  accreditation process and scheduled in FSIS\xe2\x80\x99 mitigation plan.\n\n                  OIG Position. We concur with FSIS\xe2\x80\x99 management decision on this\n                  recommendation.\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                Page 21\n\x0cRecommendation No. 10\n\n                  FSIS should establish controls to ensure that the current certification and\n                  accreditation process is performed on a 3-year basis and that security\n                  planning documents remain up-to-date as required by OMB.\n\n                  Agency Response. FSIS included, in its annual budget request, funding\n                  to provide for performing the certification and accreditation process on a 3-\n                  year basis as required by OMB.\n\n                  OIG Position. We concur with FSIS\xe2\x80\x99 plans to request funding to conduct\n                  certification and accreditation as required by OMB A-130. However, in\n                  order to reach management decision, FSIS needs to provide us its timeframes\n                  for establishing a formal policy and implementing controls for ensuring that\n                  the certification and accreditation process is actually performed as required\n                  by OMB throughout all of its systems\xe2\x80\x99 life cycles.\n\nRecommendation No. 11\n\n                  Establish a policy and implement controls to ensure the proper segregation of\n                  duties over the PBIS system development, testing, and production\n                  environments.\n\n                  Agency Response. FSIS is currently reorganizing the IT structure to\n                  segregate duties and responsibilities. The reorganized structure will ensure\n                  the separation of functions such as system development, testing,\n                  implementation, and configuration management. The reorganization is\n                  expected to be completed by January 2005.\n\n\n                  OIG Position. We concur with FSIS\xe2\x80\x99 management decision on this\n                  recommendation.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                              Page 22\n\x0cScope and Methodology\n                  Our audit was part of a nationwide audit of selected USDA agencies. We\n                  reviewed application controls over the PBIS established by FSIS to ensure\n                  the confidentiality, integrity, and availability of information in that system.\n                  The review was conducted at FSIS Headquarters in Washington, D.C., two\n                  district offices, and ten processing establishments. District and processing\n                  establishments were judgmentally selected based on the size of the\n                  processing establishment, as reported by FSIS, and the type of processing\n                  conducted.\n\n                  Fieldwork was performed from January through May 2004.\n\n                  To accomplish our audit objectives, we performed the following audit steps\n                  and procedures:\n\n                     \xe2\x80\xa2   We reviewed policies, procedures, and system documentation when\n                         available relating to the PBIS system.\n\n                     \xe2\x80\xa2   We interviewed FSIS officials responsible for the development,\n                         management, and data input of the PBIS system.\n\n                     \xe2\x80\xa2   We performed tests of data authorization, completeness, and accuracy\n                         at selected district and processing facilities.\n\n                     \xe2\x80\xa2   We analyzed system source code and data records to verify the\n                         integrity of PBIS data.\n\n                   This audit was performed in accordance with Government Auditing\n                   Standards. The results of recently issued reports of FSIS\xe2\x80\x99 inspection\n                   activities and security of IT resources were considered in preparing this\n                   report.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                Page 23\n\x0cExhibit A \xe2\x80\x93 PBIS Application Controls Matrix\n                                                                                                                 Exhibit A \xe2\x80\x93 Page 1 of 2\n\n\n                Control Objective\n            (Based on U.S. General Accountability           PBIS Control\n              Office Federal Information System\n                    Control Audit Manual)                   Technique(s)19                         OIG Evaluation\n                                                                                            \xe2\x80\xa2    PBIS is paperless and no input\n                                                                                                 documents exist for subsequent\n                                                                                                 validation or reconciliation.\n                                                                                            \xe2\x80\xa2    Unlock codes are provided by\n                                                                                                 the district office without\n                                                                                                 justification.\n                                                    \xe2\x80\xa2   Data entered by field inspectors.\n                                                                                            \xe2\x80\xa2    Changes made to PBIS are\n          All data are authorized before                                                         flagged as \xe2\x80\x98confirmed\xe2\x80\x99 by\n                                                    \xe2\x80\xa2   Locked noncompliance report\n          entering the application system.                                                       district office without basis to\n                                                        records require an unlock code\n                                                                                                 confirm the validity of the\n                                                        by district office officials.\n                                                                                                 change.\n                                                                                            \xe2\x80\xa2    PBIS is programmed to accept,\n                                                                                                 process, and report all changed\n                                                                                                 records even if not flagged as\n                                                                                                 \xe2\x80\x98confirmed\xe2\x80\x99 by the district\n                                                                                                 office.\n                                                    \xe2\x80\xa2   User IDs and passwords are\n                                                        required on field, district, and\n                                                                                            \xe2\x80\xa2    Field inspector\xe2\x80\x99s computers\n                                                        headquarters computers.\n                                                                                                 were not always physically\n                                                                                                 protected from unauthorized\n                                                    \xe2\x80\xa2   User IDs and passwords are\n                                                                                                 access.\n                                                        required to gain access into\n                                                                                            \xe2\x80\xa2    Not all password-protected\n                                                        PBIS application and data\n                                                                                                 screensavers were configured.\n                                                        maintained on field inspector\xe2\x80\x99s\n                                                                                                 Some we tested were disabled,\n                                                        computers.\n                                                                                                 others allowed too much time to\n                                                                                                 pass before locking the\n                                                    \xe2\x80\xa2   Password-protected screensavers\n                                                                                                 computer.\n                                                        locked access to computers.\n                                                                                            \xe2\x80\xa2    Password length, age, and\n          Restrict data entry terminals to                                                       lockout duration were not set in\n                                                    \xe2\x80\xa2   PBIS maintains records of all\n          authorized users for authorized                                                        accordance with Department and\n                                                        computers allowed to\n          purposes.                                                                              NIST guidelines.\n                                                        synchronize with the master\n                                                                                            \xe2\x80\xa2    PBIS maintains a log of\n                                                        database.\n                                                                                                 computers that have\n                                                                                                 synchronized their data with the\n                                                    \xe2\x80\xa2   User IDs and passwords are\n                                                                                                 master server.\n                                                        needed to dial-up to central\n                                                                                            \xe2\x80\xa2    PBIS user roles are broad in\n                                                        PBIS server.\n                                                                                                 nature and are not granular\n                                                                                                 enough to control access based\n                                                    \xe2\x80\xa2   Dial-up access to central server\n                                                                                                 on job responsibilities. For\n                                                        timed out after 10 minutes of\n                                                                                                 instance, a district office\n                                                        inactivity.\n                                                                                                 secretary had the same privilege\n                                                                                                 in PBIS as a district manager.\n                                                    \xe2\x80\xa2   Users are limited access to PBIS\n                                                        data based on one of six roles.\n          Master files and exception reporting      \xe2\x80\xa2   PBIS was programmed to              \xe2\x80\xa2    FSIS was not timely removing\n          help ensure all data processed are            synchronize with only registered         systems that had not\n          authorized.                                   computer systems.                        synchronized within 45 days.\n\n\n19\n     PBIS control techniques as reported to us by FSIS officials. No system documentation existed outlining the controls established.\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                           Page 24\n\x0cExhibit A \xe2\x80\x93 PBIS Application Controls Matrix\n                                                                                                         Exhibit A \xe2\x80\x93 Page 2 of 2\n\n                                                                                    \xe2\x80\xa2   Our testing disclosed that no\n                                                                                        controls existed. FSIS relied on\n    All authorized transactions (data) are\n                                                                                        field inspectors to ensure that all\n    entered into and processed by the        \xe2\x80\xa2   No controls established.\n                                                                                        inspections performed and all\n    computer.\n                                                                                        noncompliance records were\n                                                                                        timely entered into the system.\n                                             \xe2\x80\xa2   FSIS Headquarters personnel\n                                                 produced a report showing field\n                                                 computers that had not             \xe2\x80\xa2   FSIS was not timely removing\n                                                 synchronized with the master           systems that had not\n    Reconciliations are performed to             database within 45 days.               synchronized within 45 days.\n    verify data completeness.                \xe2\x80\xa2   FSIS Headquarters personnel        \xe2\x80\xa2   FSIS could not provide evidence\n                                                 judgmentally removed field             that other reconciliation reports\n                                                 computer\xe2\x80\x99s ability to                  were performed.\n                                                 synchronize (usually after\n                                                 appearing on the 45 day list).\n                                                                                    \xe2\x80\xa2   FSIS had not ensured that all\n                                                                                        employees receive adequate\n                                                                                        training. One inspector we\n    Data entry design features contribute\n                                             \xe2\x80\xa2   PBIS screens were user-friendly.       visited needed assistance from a\n    to data accuracy.\n                                                                                        field supervisor and district\n                                                                                        office to enter a noncompliance\n                                                                                        report.\n                                                                                    \xe2\x80\xa2   PBIS system accepted records\n                                                                                        that had been changed\n                                                                                        regardless of whether the\n    Data validation and editing are          \xe2\x80\xa2   PBIS data fields programmed to         \xe2\x80\x9cvalidated\xe2\x80\x9d field was checked.\n    performed to identify erroneous data.        accept certain values.             \xe2\x80\xa2   PBIS users were not adequately\n                                                                                        trained in what constitutes a\n                                                                                        final and closed noncompliance\n                                                                                        report.\n                                                                                    \xe2\x80\xa2   FSIS had no programmed or\n    Erroneous data are captured,\n                                             \xe2\x80\xa2   No controls established.               manual controls in place to\n    reported, investigated, and corrected.\n                                                                                        identify erroneous data.\n                                             \xe2\x80\xa2   FSIS Headquarters personnel        \xe2\x80\xa2   FSIS\xe2\x80\x99 process for identifying\n                                                 produced a report showing field        computers that do not\n    Review of output reports helps\n                                                 computers that had not                 synchronize within 45 days\n    maintain data accuracy and validity.\n                                                 synchronized with the master           impedes the timeliness of the\n                                                 database within 45 days.               data.\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                                                                                                 Page 25\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 1 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                               Page 26\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 2 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                               Page 27\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 3 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                Page 28\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 4 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                Page 29\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 5 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                Page 30\n\x0cExhibit B \xe2\x80\x93 Agency Response\n                              Exhibit B \xe2\x80\x93 Page 6 of 6\n\n\n\n\nUSDA/OIG-AUDIT/24501-1-FM                 Page 31\n\x0c"